[RADIATOR] 'No logon servers' access-reject problem
Heikki Vatiainen
hvn at open.com.au
Mon Apr 8 14:42:29 UTC 2019
On 01/04/2019 15.34, lukas.bielinski at zv.fraunhofer.de wrote:
> Sat Mar 21 11:30:37 2019: WARNING: NTLM Could not authenticate user
> 'USER': No logon servers
> Sat Mar 21 11:30:37 2019: INFO: Accounting: User: USER AuthBy;
> authby-withoutrealm, OriginalUserName: USER, NAS-IP-Address: 1.2.3.4,
> NAS-Identifier: eduroam, NAS-Port: 0, Calling-Station-Id:
> AABBCC112233, Form-Station-Id: 11:22:33:AA:BB:CC, Result: 1, Result
> String: EAP MSCHAP-V2 Authentication failure
> This message is send as an 'access-reject' to the radsecproxy and
> client. Which is a legitim radius message for all network devices,
> even though this should not happen. At this point, the radsecproxy
> sees no reason to failover upcoming authentication-requests to the
> second radiator, which works fine with the DCs.
I can see why this is a problem. Unfortunately, currently the NTLM
credentials check returns binary output: OK or not OK. There's no method
to say "Can't tell".
I've been looking at this and while there are ways to make this work, it
requires code changes and can not be solved with configuration only. The
good part is, that at the same time, we could make the reason code
available too.
Another thing currently is that while the a more detailed reason is
logged in the debug log, it's not available in the authentication log.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
More information about the radiator
mailing list